sentry-binding/sentry-binding-solr/src/test/java/org/apache/sentry/policy/solr/TestSearchAuthorizationProviderGeneralCases.java - sentry - Git at Google

 /*
  * Licensed to the Apache Software Foundation (ASF) under one or more
  * contributor license agreements.  See the NOTICE file distributed with
  * this work for additional information regarding copyright ownership.
  * The ASF licenses this file to You under the Apache License, Version 2.0
  * (the "License"); you may not use this file except in compliance with
  * the License.  You may obtain a copy of the License at
  *
  *      http://www.apache.org/licenses/LICENSE-2.0
  *
  * Unless required by applicable law or agreed to in writing, software
  * distributed under the License is distributed on an "AS IS" BASIS,
  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  * See the License for the specific language governing permissions and
  * limitations under the License.
  */
 package org.apache.sentry.policy.solr;

 import java.io.File;
 import java.io.IOException;
 import java.util.Arrays;
 import java.util.EnumSet;
 import java.util.List;
 import java.util.Set;

 import com.google.common.collect.Sets;
 import junit.framework.Assert;

 import org.apache.commons.io.FileUtils;
 import org.apache.sentry.core.common.Action;
 import org.apache.sentry.core.common.ActiveRoleSet;
 import org.apache.sentry.core.common.Authorizable;
 import org.apache.sentry.core.common.Subject;
 import org.apache.sentry.core.model.search.Collection;
 import org.apache.sentry.core.model.search.SearchModelAction;
 import org.apache.sentry.core.model.search.SearchPrivilegeModel;
 import org.apache.sentry.core.common.service.GroupMappingService;
 import org.apache.sentry.provider.common.ResourceAuthorizationProvider;
 import org.apache.sentry.provider.file.HadoopGroupResourceAuthorizationProvider;
 import org.apache.sentry.core.common.utils.PolicyFiles;
 import org.junit.After;
 import org.junit.Test;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;

 import com.google.common.base.Objects;
 import com.google.common.collect.HashMultimap;
 import com.google.common.collect.Multimap;
 import com.google.common.io.Files;


 public class TestSearchAuthorizationProviderGeneralCases {

   private static final Logger LOGGER = LoggerFactory
       .getLogger(TestSearchAuthorizationProviderGeneralCases.class);

   private static final Multimap<String, String> USER_TO_GROUP_MAP = HashMultimap
       .create();

   private static final Subject SUB_ADMIN = new Subject("admin1");
   private static final Subject SUB_MANAGER = new Subject("manager1");
   private static final Subject SUB_ANALYST = new Subject("analyst1");
   private static final Subject SUB_JUNIOR_ANALYST = new Subject("jranalyst1");

   private static final Collection COLL_PURCHASES = new Collection("purchases");
   private static final Collection COLL_ANALYST1 = new Collection("analyst1");
   private static final Collection COLL_JRANALYST1 = new Collection("jranalyst1");
   private static final Collection COLL_TMP = new Collection("tmpcollection");
   private static final Collection COLL_PURCHASES_PARTIAL = new Collection("purchases_partial");

   private static final SearchModelAction QUERY = SearchModelAction.QUERY;
   private static final SearchModelAction UPDATE = SearchModelAction.UPDATE;

   static {
     USER_TO_GROUP_MAP.putAll(SUB_ADMIN.getName(), Arrays.asList("admin"));
     USER_TO_GROUP_MAP.putAll(SUB_MANAGER.getName(), Arrays.asList("manager"));
     USER_TO_GROUP_MAP.putAll(SUB_ANALYST.getName(), Arrays.asList("analyst"));
     USER_TO_GROUP_MAP.putAll(SUB_JUNIOR_ANALYST.getName(),
         Arrays.asList("jranalyst"));
   }

   private final ResourceAuthorizationProvider authzProvider;
   private File baseDir;

   public TestSearchAuthorizationProviderGeneralCases() throws IOException {
     baseDir = Files.createTempDir();
     PolicyFiles.copyToDir(baseDir, "solr-policy-test-authz-provider.ini");
     authzProvider = new HadoopGroupResourceAuthorizationProvider(
             SearchPolicyTestUtil.createPolicyEngineForTest(new File(baseDir, "solr-policy-test-authz-provider.ini").getPath()),
         new MockGroupMappingServiceProvider(USER_TO_GROUP_MAP), SearchPrivilegeModel.getInstance());

   }

   @After
   public void teardown() {
     if(baseDir != null) {
       FileUtils.deleteQuietly(baseDir);
     }
   }

   private void doTestAuthProviderOnCollection(Subject subject,
       Collection collection, Set<? extends Action> expectedPass) throws Exception {
     Set<SearchModelAction> allActions = EnumSet.of(SearchModelAction.ALL, SearchModelAction.QUERY, SearchModelAction.UPDATE);
     for(SearchModelAction action : allActions) {
       doTestResourceAuthorizationProvider(subject, collection,
         EnumSet.of(action), expectedPass.contains(action));
     }
   }

   private void doTestResourceAuthorizationProvider(Subject subject,
       Collection collection,
       Set<? extends Action> privileges, boolean expected) throws Exception {
     List<Authorizable> authzHierarchy = Arrays.asList(new Authorizable[] {
         collection
     });
     Objects.ToStringHelper helper = Objects.toStringHelper("TestParameters");
     helper.add("Subject", subject).add("Collection", collection)
       .add("Privileges", privileges).add("authzHierarchy", authzHierarchy);
     LOGGER.info("Running with " + helper.toString());
     Assert.assertEquals(helper.toString(), expected,
         authzProvider.hasAccess(subject, authzHierarchy, privileges, ActiveRoleSet.ALL));
     LOGGER.info("Passed " + helper.toString());
   }

   @Test
   public void testAdmin() throws Exception {
     Set<SearchModelAction> allActions = EnumSet.allOf(SearchModelAction.class);
     doTestAuthProviderOnCollection(SUB_ADMIN, COLL_PURCHASES, allActions);
     doTestAuthProviderOnCollection(SUB_ADMIN, COLL_ANALYST1, allActions);
     doTestAuthProviderOnCollection(SUB_ADMIN, COLL_JRANALYST1, allActions);
     doTestAuthProviderOnCollection(SUB_ADMIN, COLL_TMP, allActions);
     doTestAuthProviderOnCollection(SUB_ADMIN, COLL_PURCHASES_PARTIAL, allActions);
   }

   @Test
   public void testManager() throws Exception {
     Set<SearchModelAction> updateOnly = EnumSet.of(SearchModelAction.UPDATE);
     doTestAuthProviderOnCollection(SUB_MANAGER, COLL_PURCHASES, updateOnly);

     Set<SearchModelAction> allActions = EnumSet.allOf(SearchModelAction.class);
     doTestAuthProviderOnCollection(SUB_MANAGER, COLL_ANALYST1, allActions);
     doTestAuthProviderOnCollection(SUB_MANAGER, COLL_JRANALYST1, allActions);

     Set<SearchModelAction> queryUpdateOnly = EnumSet.of(QUERY, UPDATE);
     doTestAuthProviderOnCollection(SUB_MANAGER, COLL_TMP, queryUpdateOnly);

     Set<SearchModelAction> queryOnly = EnumSet.of(SearchModelAction.QUERY);
     doTestAuthProviderOnCollection(SUB_MANAGER, COLL_PURCHASES_PARTIAL, queryOnly);
   }

   @Test
   public void testAnalyst() throws Exception {
     Set<SearchModelAction> updateOnly = EnumSet.of(SearchModelAction.UPDATE);
     doTestAuthProviderOnCollection(SUB_ANALYST, COLL_PURCHASES, updateOnly);

     Set<SearchModelAction> allActions = EnumSet.allOf(SearchModelAction.class);
     doTestAuthProviderOnCollection(SUB_ANALYST, COLL_ANALYST1, allActions);
     doTestAuthProviderOnCollection(SUB_ANALYST, COLL_JRANALYST1, allActions);

     Set<SearchModelAction> queryUpdateOnly = EnumSet.of(QUERY, UPDATE);
     doTestAuthProviderOnCollection(SUB_ANALYST, COLL_TMP, queryUpdateOnly);

     Set<SearchModelAction> noActions = EnumSet.noneOf(SearchModelAction.class);
     doTestAuthProviderOnCollection(SUB_ANALYST, COLL_PURCHASES_PARTIAL, noActions);
   }

   @Test
   public void testJuniorAnalyst() throws Exception {
      Set<SearchModelAction> allActions = EnumSet.allOf(SearchModelAction.class);
      doTestAuthProviderOnCollection(SUB_JUNIOR_ANALYST, COLL_JRANALYST1, allActions);

     Set<SearchModelAction> queryOnly = EnumSet.of(SearchModelAction.QUERY);
     doTestAuthProviderOnCollection(SUB_JUNIOR_ANALYST, COLL_PURCHASES_PARTIAL, queryOnly);

     Set<SearchModelAction> noActions = EnumSet.noneOf(SearchModelAction.class);
     doTestAuthProviderOnCollection(SUB_JUNIOR_ANALYST, COLL_PURCHASES, noActions);
     doTestAuthProviderOnCollection(SUB_JUNIOR_ANALYST, COLL_ANALYST1, noActions);
     doTestAuthProviderOnCollection(SUB_JUNIOR_ANALYST, COLL_TMP, noActions);
   }

   public class MockGroupMappingServiceProvider implements GroupMappingService {
     private final Multimap<String, String> userToGroupMap;

     public MockGroupMappingServiceProvider(Multimap<String, String> userToGroupMap) {
       this.userToGroupMap = userToGroupMap;
     }

     @Override
     public Set<String> getGroups(String user) {
       return Sets.newHashSet(userToGroupMap.get(user));
     }
   }
 }
	/*
	* Licensed to the Apache Software Foundation (ASF) under one or more
	* contributor license agreements. See the NOTICE file distributed with
	* this work for additional information regarding copyright ownership.
	* The ASF licenses this file to You under the Apache License, Version 2.0
	* (the "License"); you may not use this file except in compliance with
	* the License. You may obtain a copy of the License at
	*
	* http://www.apache.org/licenses/LICENSE-2.0
	*
	* Unless required by applicable law or agreed to in writing, software
	* distributed under the License is distributed on an "AS IS" BASIS,
	* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
	* See the License for the specific language governing permissions and
	* limitations under the License.
	*/
	package org.apache.sentry.policy.solr;

	import java.io.File;
	import java.io.IOException;
	import java.util.Arrays;
	import java.util.EnumSet;
	import java.util.List;
	import java.util.Set;

	import com.google.common.collect.Sets;
	import junit.framework.Assert;

	import org.apache.commons.io.FileUtils;
	import org.apache.sentry.core.common.Action;
	import org.apache.sentry.core.common.ActiveRoleSet;
	import org.apache.sentry.core.common.Authorizable;
	import org.apache.sentry.core.common.Subject;
	import org.apache.sentry.core.model.search.Collection;
	import org.apache.sentry.core.model.search.SearchModelAction;
	import org.apache.sentry.core.model.search.SearchPrivilegeModel;
	import org.apache.sentry.core.common.service.GroupMappingService;
	import org.apache.sentry.provider.common.ResourceAuthorizationProvider;
	import org.apache.sentry.provider.file.HadoopGroupResourceAuthorizationProvider;
	import org.apache.sentry.core.common.utils.PolicyFiles;
	import org.junit.After;
	import org.junit.Test;
	import org.slf4j.Logger;
	import org.slf4j.LoggerFactory;

	import com.google.common.base.Objects;
	import com.google.common.collect.HashMultimap;
	import com.google.common.collect.Multimap;
	import com.google.common.io.Files;


	public class TestSearchAuthorizationProviderGeneralCases {

	private static final Logger LOGGER = LoggerFactory
	.getLogger(TestSearchAuthorizationProviderGeneralCases.class);

	private static final Multimap<String, String> USER_TO_GROUP_MAP = HashMultimap
	.create();

	private static final Subject SUB_ADMIN = new Subject("admin1");
	private static final Subject SUB_MANAGER = new Subject("manager1");
	private static final Subject SUB_ANALYST = new Subject("analyst1");
	private static final Subject SUB_JUNIOR_ANALYST = new Subject("jranalyst1");

	private static final Collection COLL_PURCHASES = new Collection("purchases");
	private static final Collection COLL_ANALYST1 = new Collection("analyst1");
	private static final Collection COLL_JRANALYST1 = new Collection("jranalyst1");
	private static final Collection COLL_TMP = new Collection("tmpcollection");
	private static final Collection COLL_PURCHASES_PARTIAL = new Collection("purchases_partial");

	private static final SearchModelAction QUERY = SearchModelAction.QUERY;
	private static final SearchModelAction UPDATE = SearchModelAction.UPDATE;

	static {
	USER_TO_GROUP_MAP.putAll(SUB_ADMIN.getName(), Arrays.asList("admin"));
	USER_TO_GROUP_MAP.putAll(SUB_MANAGER.getName(), Arrays.asList("manager"));
	USER_TO_GROUP_MAP.putAll(SUB_ANALYST.getName(), Arrays.asList("analyst"));
	USER_TO_GROUP_MAP.putAll(SUB_JUNIOR_ANALYST.getName(),
	Arrays.asList("jranalyst"));
	}

	private final ResourceAuthorizationProvider authzProvider;
	private File baseDir;

	public TestSearchAuthorizationProviderGeneralCases() throws IOException {
	baseDir = Files.createTempDir();
	PolicyFiles.copyToDir(baseDir, "solr-policy-test-authz-provider.ini");
	authzProvider = new HadoopGroupResourceAuthorizationProvider(
	SearchPolicyTestUtil.createPolicyEngineForTest(new File(baseDir, "solr-policy-test-authz-provider.ini").getPath()),
	new MockGroupMappingServiceProvider(USER_TO_GROUP_MAP), SearchPrivilegeModel.getInstance());

	}

	@After
	public void teardown() {
	if(baseDir != null) {
	FileUtils.deleteQuietly(baseDir);
	}
	}

	private void doTestAuthProviderOnCollection(Subject subject,
	Collection collection, Set<? extends Action> expectedPass) throws Exception {
	Set<SearchModelAction> allActions = EnumSet.of(SearchModelAction.ALL, SearchModelAction.QUERY, SearchModelAction.UPDATE);
	for(SearchModelAction action : allActions) {
	doTestResourceAuthorizationProvider(subject, collection,
	EnumSet.of(action), expectedPass.contains(action));
	}
	}

	private void doTestResourceAuthorizationProvider(Subject subject,
	Collection collection,
	Set<? extends Action> privileges, boolean expected) throws Exception {
	List<Authorizable> authzHierarchy = Arrays.asList(new Authorizable[] {
	collection
	});
	Objects.ToStringHelper helper = Objects.toStringHelper("TestParameters");
	helper.add("Subject", subject).add("Collection", collection)
	.add("Privileges", privileges).add("authzHierarchy", authzHierarchy);
	LOGGER.info("Running with " + helper.toString());
	Assert.assertEquals(helper.toString(), expected,
	authzProvider.hasAccess(subject, authzHierarchy, privileges, ActiveRoleSet.ALL));
	LOGGER.info("Passed " + helper.toString());
	}

	@Test
	public void testAdmin() throws Exception {
	Set<SearchModelAction> allActions = EnumSet.allOf(SearchModelAction.class);
	doTestAuthProviderOnCollection(SUB_ADMIN, COLL_PURCHASES, allActions);
	doTestAuthProviderOnCollection(SUB_ADMIN, COLL_ANALYST1, allActions);
	doTestAuthProviderOnCollection(SUB_ADMIN, COLL_JRANALYST1, allActions);
	doTestAuthProviderOnCollection(SUB_ADMIN, COLL_TMP, allActions);
	doTestAuthProviderOnCollection(SUB_ADMIN, COLL_PURCHASES_PARTIAL, allActions);
	}

	@Test
	public void testManager() throws Exception {
	Set<SearchModelAction> updateOnly = EnumSet.of(SearchModelAction.UPDATE);
	doTestAuthProviderOnCollection(SUB_MANAGER, COLL_PURCHASES, updateOnly);

	Set<SearchModelAction> allActions = EnumSet.allOf(SearchModelAction.class);
	doTestAuthProviderOnCollection(SUB_MANAGER, COLL_ANALYST1, allActions);
	doTestAuthProviderOnCollection(SUB_MANAGER, COLL_JRANALYST1, allActions);

	Set<SearchModelAction> queryUpdateOnly = EnumSet.of(QUERY, UPDATE);
	doTestAuthProviderOnCollection(SUB_MANAGER, COLL_TMP, queryUpdateOnly);

	Set<SearchModelAction> queryOnly = EnumSet.of(SearchModelAction.QUERY);
	doTestAuthProviderOnCollection(SUB_MANAGER, COLL_PURCHASES_PARTIAL, queryOnly);
	}

	@Test
	public void testAnalyst() throws Exception {
	Set<SearchModelAction> updateOnly = EnumSet.of(SearchModelAction.UPDATE);
	doTestAuthProviderOnCollection(SUB_ANALYST, COLL_PURCHASES, updateOnly);

	Set<SearchModelAction> allActions = EnumSet.allOf(SearchModelAction.class);
	doTestAuthProviderOnCollection(SUB_ANALYST, COLL_ANALYST1, allActions);
	doTestAuthProviderOnCollection(SUB_ANALYST, COLL_JRANALYST1, allActions);

	Set<SearchModelAction> queryUpdateOnly = EnumSet.of(QUERY, UPDATE);
	doTestAuthProviderOnCollection(SUB_ANALYST, COLL_TMP, queryUpdateOnly);

	Set<SearchModelAction> noActions = EnumSet.noneOf(SearchModelAction.class);
	doTestAuthProviderOnCollection(SUB_ANALYST, COLL_PURCHASES_PARTIAL, noActions);
	}

	@Test
	public void testJuniorAnalyst() throws Exception {
	Set<SearchModelAction> allActions = EnumSet.allOf(SearchModelAction.class);
	doTestAuthProviderOnCollection(SUB_JUNIOR_ANALYST, COLL_JRANALYST1, allActions);

	Set<SearchModelAction> queryOnly = EnumSet.of(SearchModelAction.QUERY);
	doTestAuthProviderOnCollection(SUB_JUNIOR_ANALYST, COLL_PURCHASES_PARTIAL, queryOnly);

	Set<SearchModelAction> noActions = EnumSet.noneOf(SearchModelAction.class);
	doTestAuthProviderOnCollection(SUB_JUNIOR_ANALYST, COLL_PURCHASES, noActions);
	doTestAuthProviderOnCollection(SUB_JUNIOR_ANALYST, COLL_ANALYST1, noActions);
	doTestAuthProviderOnCollection(SUB_JUNIOR_ANALYST, COLL_TMP, noActions);
	}

	public class MockGroupMappingServiceProvider implements GroupMappingService {
	private final Multimap<String, String> userToGroupMap;

	public MockGroupMappingServiceProvider(Multimap<String, String> userToGroupMap) {
	this.userToGroupMap = userToGroupMap;
	}

	@Override
	public Set<String> getGroups(String user) {
	return Sets.newHashSet(userToGroupMap.get(user));
	}
	}
	}